SSL
description
Transcript of SSL
![Page 1: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/1.jpg)
SSL
Prof. Ravi Sandhu
![Page 2: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/2.jpg)
2© Ravi Sandhu
CONTEXT Mid to late 90’s
SSL 1.0 never released SSL 2.0 flawed SSL 3.0 complete redesign TLS from Netscape to IETF
Competitors SET backed by credit card companies S-HTTP (as opposed to https) IPSEC backed by IETF committees SSH for secure remote access to Unix hosts
![Page 3: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/3.jpg)
3© Ravi Sandhu
CRYPTOGRAPHIC SERVICES
Confidentiality Encryption leaks profusely via side
channels Authentication + Integrity
No point having one without the other Non-repudiation
Requires asymmetric cryptography
![Page 4: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/4.jpg)
4© Ravi Sandhu
SYMMETRIC KEY ENCRYPTION
EncryptionAlgorithm E
DecryptionAlgorithm D
Plain-text
Plain-text
Ciphertext
INSECURE CHANNEL
K KSymmetric Keyshared byA and B
CONFIDENTIAL AND AUTHENTICATED CHANNEL
A B
![Page 5: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/5.jpg)
5© Ravi Sandhu
SYMMETRIC KEY AUTHENTICATION
MACAlgorithm M
VerificationAlgorithm V
Plain-text
Yes/NoPlaintext + MAC
INSECURE CHANNEL
K
A BK
MAC: Message Authentication CodeCONFIDENTIAL AND AUTHENTICATED CHANNEL
![Page 6: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/6.jpg)
6© Ravi Sandhu
ASYMMETRIC KEY ENCRYPTION
EncryptionAlgorithm E
DecryptionAlgorithm D
Plain-text
Plain-text
Ciphertext
INSECURE CHANNEL
B's Public Key B's Private Key
AUTHENTICATED CHANNEL
A B
![Page 7: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/7.jpg)
7© Ravi Sandhu
ASYMMETRIC KEY DIGITAL SIGNATURES
SignatureAlgorithm S
VerificationAlgorithm V
Plain-text
Yes/NoPlaintext + SignatureINSECURE CHANNEL
A's Private Key A's Public Key
AUTHENTICATED CHANNEL
A B
![Page 8: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/8.jpg)
8© Ravi Sandhu
SPEED OF ASYMMETRIC KEY VERSUS SYMMETRIC KEY
Asymmetric key runs 2-3 orders of magnitude slower than symmetric key
This large difference in speed is likely to remain independent of technology advances
![Page 9: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/9.jpg)
9© Ravi Sandhu
MESSAGE DIGEST
message digest algorithm
original messageno practical limit to size
message digest160 biteasy hard
sign the message digestnot the message
![Page 10: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/10.jpg)
10© Ravi Sandhu
CHALLENGE RESPONSE AUTHENTICATION
HOSTWORKSTATION
NETWORK
User ID
Challenge
Response
![Page 11: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/11.jpg)
11© Ravi Sandhu
PUBLIC-KEY CERTIFICATES authenticated distribution of public-
keys public-key encryption
sender needs public key of receiver public-key digital signatures
receiver needs public key of sender public-key key agreement
either one or both need the other’s public key
![Page 12: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/12.jpg)
12© Ravi Sandhu
X.509v1 CERTIFICATEauthenticated distribution of public-keys
VERSIONSERIAL NUMBER
SIGNATURE ALGORITHMISSUER
VALIDITYSUBJECT
SUBJECT PUBLIC KEY INFOSIGNATURE
![Page 13: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/13.jpg)
13© Ravi Sandhu
X.509v1 CERTIFICATE
11234567891011121314
RSA+MD5, 512C=US, S=VA, O=GMU, OU=ISE
9/9/99-1/1/1C=US, S=VA, O=GMU, OU=ISE, CN=Ravi Sandhu
RSA, 1024, xxxxxxxxxxxxxxxxxxxxxxxxxSIGNATURE
![Page 14: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/14.jpg)
14© Ravi Sandhu
CRL FORMAT
SIGNATURE ALGORITHMISSUER
LAST UPDATENEXT UPDATE
REVOKED CERTIFICATESSIGNATURE
SERIAL NUMBERREVOCATION DATE
![Page 15: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/15.jpg)
15© Ravi Sandhu
X.509 CERTIFICATES
X.509v1 very basic
X.509v2 adds unique identifiers to prevent
against reuse of X.500 names X.509v3
adds many extensions can be further extended
![Page 16: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/16.jpg)
16© Ravi Sandhu
CERTIFICATE TRUST
how to acquire public key of the issuer to verify signature
whether or not to trust certificates signed by the issuer for this subject
![Page 17: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/17.jpg)
17© Ravi Sandhu
SINGLE ROOT CA MODELRootCA
a b c d e f g h i j k l m n o p
RootCAUser
![Page 18: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/18.jpg)
18© Ravi Sandhu
SINGLE ROOT CAMULTIPLE RA’s MODEL
RootCA
a b c d e f g h i j k l m n o p
RootCA
User RA
User RA
User RA
![Page 19: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/19.jpg)
19© Ravi Sandhu
MULTIPLE ROOT CA’s MODEL
RootCA
a b c d e f g h i j k l m n o p
RootCAUser
RootCA
RootCA
RootCAUser
RootCAUser
![Page 20: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/20.jpg)
20© Ravi Sandhu
MULTIPLE ROOT CA’s PLUS INTERMEDIATE CA’s MODEL
X
Q
A
R
S T
C E G I K M O
a b c d e f g h i j k l m n o p
ESTABLISHED BROWSER MODEL
![Page 21: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/21.jpg)
21© Ravi Sandhu
SECURE ELECTRONIC TRANSACTIONS (SET) CA HIERARCHY
Root
Brand BrandBrand
Geo-Political
Bank Acquirer
Customer Merchant
![Page 22: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/22.jpg)
22© Ravi Sandhu
THE CERTIFICATE TRIANGLE
user
attribute public-key
X.509identity
certificate
X.509attribute
certificate
SPKIcertificate
![Page 23: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/23.jpg)
23© Ravi Sandhu
SSL SERVICES
peer entity authentication data confidentiality data authentication and integrity compression/decompression generation/distribution of session keys
integrated into protocol security parameter negotiation
![Page 24: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/24.jpg)
24© Ravi Sandhu
SSL ARCHITECTURE
SSL Record ProtocolTCPIP
SSLHandshake
Protocol
SSL ChangeCipher Spec
Protocol
SSLAlert
ProtocolHTTP
OtherApplicationProtocols
![Page 25: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/25.jpg)
25© Ravi Sandhu
APPLICATION PORTS
https 443 ssmtp 465 snntp 563 sldap 636 spop3 995
ftp-data 889 ftps 990 imaps 991 telnets 992 ircs 993
![Page 26: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/26.jpg)
26© Ravi Sandhu
SSL ARCHITECTURE
Handshake protocol: complicated embodies key exchange & authentication 10 message types
Record protocol: straightforward fragment, compress, MAC, encrypt
Change Cipher Spec protocol: straightforward single 1 byte message with value 1 could be considered part of handshake protocol
Alert protocol: straightforward 2 byte messages
• 1 byte alert level- fatal or warning; 1 byte alert code
![Page 27: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/27.jpg)
27© Ravi Sandhu
SSL SESSION SSL session negotiated by handshake protocol
session ID• chosen by server
X.509 public-key certificate of peer• possibly null
compression algorithm cipher spec
• encryption algorithm • message digest algorithm
master secret• 48 byte shared secret
is resumable flag• can be used to initiate new connections• each session is created with one connection, but additional
connections within the session can be further created
![Page 28: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/28.jpg)
28© Ravi Sandhu
SSL CONNECTION STATE
connection end: client or server client and server random: 32 bytes each keys generated from master secret, client/server random
client_write_MAC_secret server_write_MAC_secret client_write_key server_write_key client_write_IV server_write_IV
compression state cipher state: initially IV, subsequently next feedback block sequence number: starts at 0, max 264-1
![Page 29: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/29.jpg)
29© Ravi Sandhu
SSL CONNECTION STATE
4 parts to state current read state current write state pending read state pending write state
handshake protocol initially current state is empty either pending state can be made current and
reinitialized to empty
![Page 30: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/30.jpg)
30© Ravi Sandhu
SSL RECORD PROTOCOL
4 steps by sender (reversed by receiver) Fragmentation Compression MAC Encryption
![Page 31: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/31.jpg)
31© Ravi Sandhu
SSL RECORD PROTOCOL
each SSL record contains content type: 8 bits, only 4 defined
• change_cipher_spec• alert• handshake• application_data
protocol version number: 8 bits major, 8 bits minor length: max 16K bytes (actually 214+2048) data payload: optionally compressed and encrypted message authentication code (MAC)
![Page 32: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/32.jpg)
32© Ravi Sandhu
SSL HANDSHAKE PROTOCOL
initially SSL session has null compression and cipher algorithms
both are set by the handshake protocol at beginning of session
handshake protocol may be repeated during the session
![Page 33: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/33.jpg)
33© Ravi Sandhu
SSL HANDSHAKE PROTOCOL
Type: 1 byte 10 message types defined
length: 3 bytes content
![Page 34: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/34.jpg)
34© Ravi Sandhu
SSL HANDSHAKE PROTOCOL
Client Server
ClientHello --------> ServerHello Certificate* ServerKeyExchange* CertificateRequest* <-------- ServerHelloDone Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data
Fig. 1 - Message flow for a full handshake
* Indicates optional or situation-dependent messages that are not always sent.
Phase 1
Phase 2
Phase 3
Phase 4
RecordProtocol
![Page 35: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/35.jpg)
35© Ravi Sandhu
SSL HANDSHAKE PROTOCOL
Phase 1: Establish security capabilities
Phase 2: Server authentication and key exchange
Phase 3: Client authentication and key exchange
Phase 4: Finish
![Page 36: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/36.jpg)
36© Ravi Sandhu
SSL 1-WAY HANDSHAKE WITH RSA
Client Server ClientHello --------> ServerHello Certificate* ServerKeyExchange* CertificateRequest* <-------- ServerHelloDone Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data Fig. 1 - Message flow for a full handshake * Indicates optional or situation-dependent messages that are not always sent.
Phase 1
Phase 2
Phase 3
Phase 4
RecordProtocol
![Page 37: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/37.jpg)
37© Ravi Sandhu
SSL 2-WAY HANDSHAKE WITH RSA
Client Server ClientHello --------> ServerHello Certificate* ServerKeyExchange* CertificateRequest* <-------- ServerHelloDone Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data Fig. 1 - Message flow for a full handshake * Indicates optional or situation-dependent messages that are not always sent.
Phase 1
Phase 2
Phase 3
Phase 4
RecordProtocol
![Page 38: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/38.jpg)
38© Ravi Sandhu
SSL HANDSHAKE PROTOCOL
these 9 handshake messages must occur in order shown
optional messages can be eliminated 10th message explained later
hello_request message change_cipher_spec is a separate 1
message protocol functionally it is just like a message in the
handshake protocol
![Page 39: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/39.jpg)
39© Ravi Sandhu
SSL HANDSHAKE PROTOCOL
Client Server
ClientHello --------> ServerHello [ChangeCipherSpec] <-------- Finished [ChangeCipherSpec] Finished --------> Application Data <-------> Application Data
Fig. 2 - Message flow for an abbreviated handshake
![Page 40: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/40.jpg)
40© Ravi Sandhu
SSL HANDSHAKE PROTOCOL
hello_request (not shown) can be sent anytime from server to client to request client to start handshake protocol to renegotiate session when convenient
can be ignored by client if already negotiating a session don’t want to renegotiate a session
• client may respond with a no_renegotiation alert
![Page 41: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/41.jpg)
41© Ravi Sandhu
SSL HANDSHAKE PROTOCOL
Client Server
ClientHello --------> ServerHello Certificate* ServerKeyExchange* CertificateRequest* <-------- ServerHelloDone Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data
Fig. 1 - Message flow for a full handshake
* Indicates optional or situation-dependent messages that are not always sent.
Phase 1
Phase 2
Phase 3
Phase 4
RecordProtocol
![Page 42: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/42.jpg)
42© Ravi Sandhu
SSL HANDSHAKE: PHASE 1ESTABLISH SECURITY CAPABILITIES
client hello 4 byte timestamp, 28 byte random value session ID:
• non-zero for new connection on existing session• zero for new connection on new session
client version: highest version cipher_suite list: ordered list compression list: ordered list
![Page 43: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/43.jpg)
43© Ravi Sandhu
SSL HANDSHAKE: PHASE 1ESTABLISH SECURITY CAPABILITIES
server hello 32 byte random value session ID:
• new or reuse version
• lower of client suggested and highest supported cipher_suite list: single choice compression list: single choice
![Page 44: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/44.jpg)
44© Ravi Sandhu
SSL HANDSHAKE: PHASE 1ESTABLISH SECURITY CAPABILITIES
cipher suite key exchange method
• RSA: requires receiver’s public-key certificates• Fixed DH: requires both sides to have public-key
certificates• Ephemeral DH: signed ephemeral keys are
exchanged, need signature keys and public-key certificates on both sides
• Anonymous DH: no authentication of DH keys, susceptible to man-in-the-middle attack
• Fortezza: Fortezza key exchangewe will ignore Fortezza from here on
![Page 45: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/45.jpg)
45© Ravi Sandhu
SSL HANDSHAKE: PHASE 1ESTABLISH SECURITY CAPABILITIES
cipher suite cipher spec
• CipherAlgorithm: RC4, RC2, DES, 3DES, DES40, IDEA, Fortezza
• MACAlgorithm: MD5 or SHA-1• CipherType: stream or block• IsExportable: true or false• HashSize: 0, 16 or 20 bytes• Key Material: used to generate write keys• IV Size: size of IV for CBC
![Page 46: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/46.jpg)
46© Ravi Sandhu
SSL HANDSHAKE PROTOCOL
Client Server
ClientHello --------> ServerHello Certificate* ServerKeyExchange* CertificateRequest* <-------- ServerHelloDone Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data
Fig. 1 - Message flow for a full handshake
* Indicates optional or situation-dependent messages that are not always sent.
Phase 1
Phase 2
Phase 3
Phase 4
RecordProtocol
![Page 47: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/47.jpg)
47© Ravi Sandhu
SSL HANDSHAKE: PHASE 2SERVER AUTHENTICATION & KEY EXCHANGE
Certificate message server’s X.509v3 certificate followed by optional chain of
certificates required for RSA, Fixed DH, Ephemeral DH but not for
Anonymous DH Server Key Exchange message
not needed for RSA, Fixed DH needed for Anonymous DH, Ephemeral DH needed for RSA where server has signature-only key
• server sends temporary RSA public encryption key to client
![Page 48: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/48.jpg)
48© Ravi Sandhu
SSL HANDSHAKE: PHASE 2SERVER AUTHENTICATION & KEY EXCHANGE
Server Key Exchange message signed by the server signature is on hash of
• ClientHello.random, ServerHello.random• Server Key Exchange parameters
Certificate Request message request a certificate from client specifies Certificate Type and Certificate Authorities
• certificate type specifies public-key algorithm and use Server Done message
ends phase 2, always required
![Page 49: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/49.jpg)
49© Ravi Sandhu
SSL HANDSHAKE PROTOCOL
Client Server
ClientHello --------> ServerHello Certificate* ServerKeyExchange* CertificateRequest* <-------- ServerHelloDone Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data
Fig. 1 - Message flow for a full handshake
* Indicates optional or situation-dependent messages that are not always sent.
Phase 1
Phase 2
Phase 3
Phase 4
RecordProtocol
![Page 50: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/50.jpg)
50© Ravi Sandhu
SSL HANDSHAKE: PHASE 3CLIENT AUTHENTICATION & KEY EXCHANGE
Certificate message send if server has requested certificate and client has
appropriate certificate• otherwise send no_certificate alert
Client Key Exchange message content depends on type of key exchange (see next slide)
Certificate Verify message can be optionally sent following a client certificate with signing
capability signs hash of master secret (established by key exchange) and
all handshake messages so far provides evidence of possessing private key corresponding to
certificate
![Page 51: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/51.jpg)
51© Ravi Sandhu
SSL HANDSHAKE: PHASE 3CLIENT AUTHENTICATION & KEY EXCHANGE
Client Key Exchange message RSA
• client generates 48-byte pre-master secret, encrypts with server’s RSA public key (from server certificate or temporary key from Server Key Exchange message)
Ephemeral or Anonymous DH• client’s public DH value
Fixed DH• null, public key previously sent in Certificate Message
![Page 52: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/52.jpg)
52© Ravi Sandhu
SSL HANDSHAKE: POST PHASE 3CRYPTOGRAPHIC COMPUTATION
48 byte pre master secret RSA
• generated by client• sent encrypted to server
DH• both sides compute the same value• each side uses its own private value and the
other sides public value
![Page 53: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/53.jpg)
53© Ravi Sandhu
SSL HANDSHAKE: POST PHASE 3CRYPTOGRAPHIC COMPUTATION
master_secret = PRF(pre_master_secret, "master secret", ClientHello.random + ServerHello.random) [0..47];
pre_master_secret: 48 bytes
PRF is composed of a sequence and nesting of HMACs
![Page 54: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/54.jpg)
54© Ravi Sandhu
SSL HANDSHAKE PROTOCOL
Client Server
ClientHello --------> ServerHello Certificate* ServerKeyExchange* CertificateRequest* <-------- ServerHelloDone Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data
Fig. 1 - Message flow for a full handshake
* Indicates optional or situation-dependent messages that are not always sent.
Phase 1
Phase 2
Phase 3
Phase 4
RecordProtocol
![Page 55: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/55.jpg)
55© Ravi Sandhu
SSL HANDSHAKE: PHASE 4FINISH
Change Cipher Spec message not considered part of handshake
protocol but in some sense is part of it Finished message
sent under new algorithms and keys content is hash of all previous messages
and master secret
![Page 56: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/56.jpg)
56© Ravi Sandhu
SSL HANDSHAKE: PHASE 4FINISH
Change Cipher Spec message 1 byte message protected by current state copies pending state to current state
• sender copies write pending state to write current state
• receiver copies read pending state to read current state
immediately send finished message under new current state
![Page 57: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/57.jpg)
57© Ravi Sandhu
SSL HANDSHAKE: PHASE 4FINISH
verify_data PRF(master_secret, finished_label, MD5(handshake_messages)+ SHA-1(handshake_messages)) [0..11];
finished_label For Finished messages sent by the client, the string "client finished". For Finished messages sent by the server, the string "server finished".
handshake_messages All of the data from all handshake messages up to but not including this message. This is only data visible at the handshake layer and does not include record layer headers.
Finished message
![Page 58: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/58.jpg)
58© Ravi Sandhu
SSL ALERT PROTOCOL
2 byte alert messages 1 byte level
• fatal or warning 1 byte
• alert code
![Page 59: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/59.jpg)
59© Ravi Sandhu
SSL ALERT MESSAGESWarning or fatal
close_notify(0), unexpected_message(10), bad_record_mac(20), decryption_failed(21), record_overflow(22),
decompression_failure(30), handshake_failure(40), bad_certificate(42), unsupported_certificate(43), certificate_revoked(44), certificate_expired(45), certificate_unknown(46), illegal_parameter(47), unknown_ca(48), access_denied(49), decode_error(50), decrypt_error(51), export_restriction(60), protocol_version(70), insufficient_security(71), internal_error(80), user_canceled(90), no_renegotiation(100),
![Page 60: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/60.jpg)
60© Ravi Sandhu
SSL ALERT MESSAGES
always fatal unexpected_message bad_record_mac decompression_failure handshake_failure illegal_parameter
![Page 61: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/61.jpg)
61© Ravi Sandhu
SERVER-SIDE SSL (OR 1-WAY) HANDSHAKE WITH RSA
Client Server ClientHello --------> ServerHello Certificate <-------- ServerHelloDone ClientKeyExchange [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data
RecordProtocol
HandshakeProtocol
![Page 62: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/62.jpg)
62© Ravi Sandhu
SERVER-SIDE MASQUARADING
BobWeb browser
www.host.comWeb serverServer-side SSL
UltratrustSecurityServices
www.host.com
![Page 63: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/63.jpg)
63© Ravi Sandhu
SERVER-SIDE MASQUARADING
BobWeb browser
www.host.comWeb server
Server-side SSL UltratrustSecurityServices
www.host.comMallory’sWeb server
BIMMCorporation
www.host.com
Server-side SSL
![Page 64: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/64.jpg)
64© Ravi Sandhu
SERVER-SIDE MASQUARADING
BobWeb browser
www.host.comWeb server
Server-side SSL UltratrustSecurityServices
www.host.comMallory’sWeb server
Server-side SSL
BIMMCorporation
UltratrustSecurityServices
www.host.com
![Page 65: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/65.jpg)
65© Ravi Sandhu
CLIENT-SIDE SSL (OR 2-WAY) HANDSHAKE WITH RSA
Client Server ClientHello --------> ServerHello Certificate CertificateRequest <-------- ServerHelloDone Certificate ClientKeyExchange CertificateVerify [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data
RecordProtocol
HandshakeProtocol
![Page 66: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/66.jpg)
66© Ravi Sandhu
MAN IN THE MIDDLEMASQUARADING PREVENTED
BobWeb browser
www.host.comWeb server
Client-side SSL
UltratrustSecurityServices
www.host.com
Mallory’sWeb server
BIMMCorporation
Client-side SSL
UltratrustSecurityServices
www.host.com
Client Side SSLend-to-endUltratrust
SecurityServices
Bob
BIMMCorporation
UltratrustSecurityServices
Bob
![Page 67: SSL](https://reader035.fdocuments.us/reader035/viewer/2022070501/56816979550346895de1720f/html5/thumbnails/67.jpg)
67© Ravi Sandhu
SSL Deployed in broken form Guardian of e-commerce World’s most successful crypto protocol